Certing up the HCX Destination

Certs dont seem to be mentioned in the HCX documentation but they are vital for making a connection. If there is no shared trusted root, then do the following to enable trusted communication between the HCX appliances. This is the first step, the second being when we use this when setting up the source.

The following files will be created. WinSCP them to the host you are doing the deployment from

private.crt

public.crt

Browse to [cloud-hcx-fqdn]:9443 -> Administration -> Server Certificate. Using a text editor to view the files, paste the content of

public.crt in ‘Server Certificate’ section.

private.crt in ‘Private Key’ section.

Installing VxRack Certs on VxRail

In my case I wanted to understand where configuring this connection could fall down so I deliberately didn’t install signed-certs on the VxRack SDDC. If this is the case for you Enterprise vCenter then you might need to carry out this process before you will be able configure HCX interconnects. BTW, the symptom of this being needed is that your HCX Interconnects will fail to install the gateway host into the destination vCenter as that vCenter wont trust the SSL cert of the source system that is trying to do that.

Install \download\certs\lin\xxxxxxx.0 files (there should be one per PSC in the VxRack) where 0 is a digit that might vary

Wait (takes several mins for them to show)

VxRack Specific Preparation Items

Because I am using a VxRack SDDC as my source, and because I dont have a common DNS system available to both source and destination systems I needed to add some entries to the unbound DNS configuration for the VxRack. Skip this step if you have full resolution for all your entries already (or if you are not using a VxRack)

SSH into [sddc-controller-ip] root / [sddc-manager-root-password]

vi /etc/unbound/unbound.conf

Add entries for HCX Source System to local zone for VxRack

local-data: “[enterprise-hcx-fqdn]. IN A [enterprise-hcx-ip]“

local-data-ptr: “[enterprise-hcx-ip] [enterprise-hcx-fqdn]”

Add entries for HCX Destination Systems

local-zone: “[cloud-ad-domain].” static

local-data: “[cloud-vcenter-fqdn]. IN A [cloud-vcenter-ip]“

local-data-ptr: “[cloud-vcenter-ip] [cloud-vcenter-fqdn]“

local-data: “[cloud-hcx-fqdn]. IN A [cloud-hcx-ip]“

local-data-ptr: “[cloud-hcx-ip] [cloud-hcx-fqdn]“

systemctl restart unbound.service

systemctl status unbound.service

Test name resolution to above items

SSH into [sddc-manager-ip] root / [sddc-manager-root-password]

vi /etc/unbound/unbound.conf

Add entries for HCX Source System to local zone for VxRack

local-data: “[enterprise-hcx-fqdn]. IN A [enterprise-hcx-ip]“

local-data-ptr: “[enterprise-hcx-ip] [enterprise-hcx-fqdn]“

Add entries for HCX Destination Systems

local-zone: “[cloud-ad-domain].” static

local-data: “[cloud-vcenter-fqdn]. IN A [cloud-vcenter-ip]“

local-data-ptr: “[cloud-vcenter-ip] [cloud-vcenter-fqdn]“

local-data: “[cloud-hcx-fqdn]. IN A [cloud-hcx-ip]“

local-data-ptr: “[cloud-hcx-ip] [cloud-hcx-fqdn]“

systemctl restart unbound.service

systemctl status unbound.service

Test name resolution to above items

Deploy the HCX Enterprise System

Note: The buttons to download the ova or copy the link wont even be present if internet connectivity is a problem, so if you dont see what you expect to see then check access from HCX appliance to http://hcx.vmware.com

Log into [enterprise-vcenter-fqdn]

Right click [enterprise-cluster] -> Deploy OVF Template

Name: [enterprise-hcx-vmname]

Storage

Datastore: [enterprise-datastore]

Format: Thin Provision

Policy: vSAN Default Storage Policy

Network: [enterprise-mgmt-portgroup]

Customize

DNS: [enterprise-dns-server]

Domain Search List: [enterprise-ad-domain]

Gateway: [enterprise-mgmt-gateway]

Hostname: [enterprise-hcx-hostname]

IP: [enterprise-hcx-ip]

Prefix: [enterprise-mgmt-prefix-length]

admin password: [enterprise-hcx-admin-password]

root password: [enterprise-hcx-root-password]

Enable SSH: Selected

NTP: [enterprise-ntp-ip]

Configure the HCX Enterprise Appliance

Login to https://[enterprise-hcx-fqdn]:9443

User: admin

Password: [enterprise-hcx-admin-password]

Activate -> [nsx-enterprise-plus-license]-> Configure

Location: [enterprise-hcx-location]

Yes, Continue

System Name: [enterprise-hcx-fqdn]

vCenter: [enterprise-vcenter-fqdn]

User: [enterprise-sso-admin-username]

Password: [enterprise-sso-admin-password]

Connect your NSX: Selected

NSX: [enterprise-nsx-manager-fqdn]

User: [enterprise-nsx-manager-admin]

Password: [enterprise-nsx-manager-admin-password]

Continue

SSO: [enterprise-psc-lb-fqdn]

Restart

Assign any HCX Roles to the vCenter User Groups that you want to allow to perform HCX operations

Certing up the HCX Source

This is part 2 of the process I mentioned you might need in order to get the appliances to connect.

You should now have a system that looks a bit like this. You can repeat as necessary for other vCenter systems based on what you have available. For instance in my case I configured HCX between the management domains of the VxRack and the VxRail and I did likewise for the workload domains of each.

Your destination system will look a little different now as there will be new gateway hosts present in your vCenter to enable the migrations